(U//FOUO) TLP: AMBER The Risk: The Multi-­State Information Sharing and Analysis Center (MS-­ISAC) assesses with high confidence that cyber threat actors routinely target universities, for the purposes of financial gain, notoriety, or entertainment, and often to gain access to personally identifiable information (PII) and/or sensitive research. MS-­ISAC believes universities are inherently more vulnerable to cyber targeting than other state, local, tribal, and territorial (SLTT) government entities, due to the non-­restrictive research environment with less compartmentalization and less access restriction, which results in more opportunity for infection, and when infection occurs, easier transmission through a network.

• Incident frequency remained relatively consistent in 2015 compared to 2014, but incidents spiked in July and August 2015 as seen in Figure 1. The August spike may be partially caused by the return of students to campus and increased traffic on university networks.
• Nation-­‐state actors pose the gravest threat to universities systems and the greater national security interest. This is due to nation-­‐state actor’s more advanced skill sets and tendency to strategically target universities with developed research programs, or those that are Cleared Defense Contractors (CDC) or Centers for Academic Excellence (CAE), which may contain engineering, health, science or defense research, crucial to the U.S. National Security interest.
• Based on MS-­‐ISAC data, universities are most likely to be targeted via a phishing email, and malware infection is the most likely tactic, technique or procedure (TTP) a university will experience.

Damaging cyber attacks against the U.S. energy infrastructure do not currently pose a significant threat according to an intelligence assessment released by the Department of Homeland Security and Industrial Control Systems Computer Emergency Response Team (ICS-CERT) in January. While cyber actors backed by a number of nation-states are actively “targeting US energy sector enterprise networks,” these activities are focused primarily on supporting cyber espionage activities to acquire and maintain “persistent access to facilitate the introduction of malware” in the event of “hostilities with the United States.”

The restricted DHS assessment titled “Damaging Cyber Attacks Possible but Not Likely Against the US Energy Sector” was obtained by Public Intelligence and reveals that at least seventeen intrusions against the U.S. energy sector were traced back to APT actors in FY 2014. The attacks never resulted in damage or disruption, but were instead focused on “data theft from enterprise networks” and “accessing and maintaining presence on ICS” networks and systems. One example cited in the assessment is a piece of malware called Havex that was “likely developed by Russian state-sponsored cyber actors.” The existence of the malware was first disclosed in a June 2014 blog post by Finnish security firm F-Secure which described how the remote access tool (RAT) was being used as part of an industrial espionage campaign. DHS states that this campaign dates back to 2011 and that while the “main function is to gather information,” Havex can also run “specialized plug-ins for additional capabilities.”

The assessment also mentions an attack on the Ukrainian energy sector in December 2015 that resulted in at least 80,000 customers losing power for up to six hours. At the time the assessment was written, ICS-CERT stated that they were “unable to confirm” the event was triggered by cyber means, but that a sample of the malware provided by the Ukranian Government had the capability to “enable remote access and delete computer content, including system drives.” While DHS does not attribute the attack to any specific cyber actor, the assessment states that the attack is “consistent with our understanding of Moscow’s capability and intent, including observations of cyber operations during regional tensions.”

A month after the DHS assessment was published, ICS-CERT released an alert describing the attack in much greater detail and relaying the findings of a team that included representatives of the U.S. Computer Emergency Readiness Team (US-CERT), Department of Energy, FBI and North American Electric Reliability Corporation. The alert increased the number of those affected by the attack to more than 225,000 customers, noting that the attack was “reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks.” The attackers reportedly “acquired legitimate credentials and leveraged valid remote access pathways” to cause 50 regional substations to experience “malicious remote operation of their breakers conducted by multiple external humans.”

ICS-CERT also released a restricted version of the alert marked For Official Use Only that included non-public details and analysis of the vulnerabilities exposed by the attack. An updated version of the restricted alert from March was also obtained by Public Intelligence and states that “critical infrastructure [industrial control system or ICS] networks, across multiple sectors, are vulnerable to similar attacks.” ICS-CERT argues that the “incident highlights the urgent need for critical infrastructure owners and operators across all sectors to implement enhanced cyber measures that reduce risks” that could result from the use of a number of different techniques that were employed by the attackers, including:

• Theft of legitimate user credentials to enable access masquerading as approved users,
• Leveraging legitimate remote access pathways (VPNs),
• The remote operation of human-machine interface (HMI) via company installed remote access software (such as RDP, TeamViewer or rlogin)
• The use of destructive malware such as KillDisk to disable industrial control systems (ICSs) and corporate network systems
• Firmware overwrites that disable/destroy field equipment
• Unauthorized scheduled disconnects of uninterruptable power supplies (UPS) to devices to deny their availability
• The delivery of malware via spear-phishing emails and the use of malicious Microsoft Office attachments
• Use of Telephone Denial of Service (TDoS) to disrupt operations and restoration.

During the attacks, “remote human operators” accessed the workstations of dispatchers at the facilities using legitimately installed tools for remote access. They used this access to trip the breakers, change the passwords for key systems, corrupt firmware of serial-to-ethernet converters used for substation communication and leverage backup battery systems to trigger shutdowns of connected servers and devices. In one instance, the attackers used an uninterruptible power supply (UPS) to target an internal telecommunications server which cut off “all internal communications with regional offices and distribution substations.”

Despite the risks demonstrated in the Ukrainian attack, the DHS assessment from January tries to downplay the threat posed by state actors, noting that 63 percent of malicious cyber activity in FY 2014 was “unattributed, low-level activity” related to cybercrime using methods such as ransomware and denial-of-service attacks. The assessment’s authors also include a section criticizing the media’s over-hyping of cyber attacks and cyber warfare as leading to “misperceptions about the cyber threat to the US energy sector.” The term “cyber attack” is often used by the media and private sector to refer to incidents and activities that are not necessarily intended to “cause denial, disruption, destruction, or other negative effects” which would better be described as “cyber espionage, and even low-level, untargeted incidents of cybercrime.” The assessment even speculates that overuse of the term could lead to “alarm fatigue” which could lead to less reporting of incidents and longer response times.

Over the past 18-24 months, an unknown number of online extremists have conducted “hacktivist” cyber operations – primarily Web site defacements, denial-of-service attacks, and release of personally identifiable information (PII) in an effort to spread pro-Islamic State of Iraq and the Levant (ISIL) propaganda and to incite violence against the United States and the West. Recent open source reporting from the Daily Mail India, indicates ISIL is recruiting Indian hackers and offering upwards of $10,000 USD per job to hack government Web sites, steal data, and to build social media databases for recruiting purposes. Indian officials believe as many as 30,000 hackers in India may have been contacted. The FBI cannot confirm the validity of the media reports, and beyond this single article on Indian hackers and ISIL, does not have information indicating any such relationship exists to date. The FBI assesses this activity is most likely independent of ISIL’s leaders located in Syria and Iraq.

Threat The FBI has no information at this time that would identify any specific group or industry sector being targeted by pro-ISIL Web site defacements. We assess Web site vulnerabilities found using automated tools are the primary reason for target selection in past victims. Releases of PII, also known as doxing, by pro-ISIL hacktivists have primarily focused on U.S. and Western government personnel, especially military and law enforcement.

Since at least August 2015, a group of pro-ISIL hackers calling themselves “Elite Islamic State Hackers,” “Islamic Cyber Army,” and “Caliphate Cyber Army” have been associated with multiple Web site defacements and PII releases. In September 2015, group members began posting a series of messages via Twitter stating that they were conducting cyber attacks against the United States in commemoration of the September 11th terrorist attacks using the hash tag #AmericaUnderHacks for their Twitter postings. The postings included screenshots displaying access to several victim Web sites, as well as the posting of PII on President Barack Obama, the First Lady Michelle Obama, Congressional Staff members, government employees, and U.S. military members. Since the #AmericaUnderHacks hacking campaign in September 2015, group members have executed similar campaigns against the United Kingdom (#BritainUnderHacks), Saudi Arabia (#SaudiUnderHacks), Russia (#RussiaUnderHacks), and Israel (#IsraelUnderHacks).

Open source reporting in India has noted the existence of several “hacking groups” within India. Thus far, such reporting has identified group names like “Indian Cyber Army” or “Shakti Campaign” and referenced such groups as having worked on behalf of the Indian government against Pakistan. To date, we have yet to see any validated reporting as to the capabilities of such groups or been able to confirm their existence. It does stand to reason; however, criminal hacking activity, whether by individuals or from organized groups exists in India and could potentially target US companies both for financial gain and for general acclaim.

Technical Details

The FBI assesses most pro-ISIL hacktivist groups use relatively unsophisticated methods and tools to scan for and exploit well-known Web site vulnerabilities. Structured Query Language (SQL) injection, Cross Site Scripting (XSS), and social engineering tactics to obtain account credentials are assessed to be in the capability range of pro-ISIL cyber actors.

The recruited Indian hackers are reportedly communicating on Internet based services like Skype, Silent Circle, Telegram, and WhatsApp. Pro-ISIL hackers use social media platforms like Twitter to make public announcements and release PII. Larger PII releases have been uploaded to online text sharing sites such as Pastebin.com and Justpaste.it.

Like this:

Since the early days of TCP, port scanning has been used by computer saboteurs to locate vulnerable systems. In a new set of top secret documents seen by Heise, it is revealed that in 2009, the British spy agency GCHQ made port scans a “standard tool” to be applied against entire nations (Figure 1, see the picture gallery). Twenty-seven countries are listed as targets of the HACIENDA program in the presentation (Figure 2), which comes with a promotional offer: readers desiring to do reconnaissance against another country need simply send an e-mail (Figure 3).

Bild 1 von 26

Hacienda, Mugshot, Olympia, ORB – Slides and Graphics

Figure 1

The HACIENDA Programm

The documents do not spell out details for a review process or the need to justify such an action. It should also be noted that the ability to port-scan an entire country is hardly wild fantasy; in 2013, a port scanner called Zmap was implemented that can scan the entire IPv4 address space in less than one hour using a single PC. [3] The massive use of this technology can thus make any server anywhere, large or small, a target for criminal state computer saboteurs.

The list of targeted services includes ubiquitous public services such as HTTP and FTP, as well as common administrative protocols such as SSH (Secure SHell protocol – used for remote access to systems) and SNMP (Simple Network Management Protocol – used for network administration) (Figure 4). Given that in the meantime, port scanning tools like Zmap have been developed which allow anyone to do comprehensive scans, it is not the technology used that is shocking, but rather the gargantuan scale and pervasiveness of the operation. The next section gives background on how port-mapping tools work and what information is gained by using them, making it clear what becomes possible when a state actor uses them at scale.

Background: The TCP Three-Way Handshake

The most commonly-used protocol on the Internet is TCP | the Transmission Control Protocol. Every time an email is sent or a web page is browsed, TCP is the protocol that is used to move data reliably between clients and servers. Port-mapping tools take advantage of a structural problem in TCP in order to determine what services are running on a system. Since the early days of TCP, port scanning has been used by attackers to locate vulnerable systems. Whenever a TCP client wants to communicate with a TCP server, the two parties perform what is called a TCP three-way handshake. The flawed design of this handshake is the foundation for port mapping tools, as during the handshake, the server leaks information about the availability of a service without checking the client’s authorization.

Figure 5 illustrates the sequence of TCP packets which are sent to establish a connection. The establishment of the connection works as follows: the host which wants to initiate a connection first sends out a TCP SYN (“synchronize”) packet. If the destination host accepts the connection request, it sends a SYN/ACK (“synchronize/acknowledge”) packet. After receiving a positive reply, the initiating host sends out an ACK (“acknowledge”) packet, which finalizes the TCP three-way handshake. This TCP three-way handshake allows an adversary to easily determine if some TCP service is offered at a given port by a host on the Internet: if the TCP port is closed, the server reacts differently to the TCP SYN packet (Figure 6), sending a RST (“reset”) packet instead of the SYN/ACK it would send were the port open. Thus, an adversary can easily map Internet services by considering the differences in the server’s replies in the packet flows depicted in Figure 5 and Figure 6 respectively.

The Authors

Julian Kirsch is finishing his Master’s degree at the Technische Universität München, where he will soon join Prof. Eckert’s chair for computer security to pursue a doctorate degree. His research interests include reverse engineering and counter-espionage.

Christian Grothoff is funded by the Deutsche Forschungsgemeinschaft (DFG) under ENP GR 3688/1-1 until the end of August 2014. He is now moving from the Technische Universität at München to Inria Rennes, where he will start a research team in the area of secure decentralized networks. His research interests include compilers, programming languages, software engineering, networking and security.

Monika Ermert is a freelancer for heise online and has written on DNS, DNS security and more issues for a many years.

Jacob Appelbaum is an investigative journalist.

Laura Poitras is a documentary film maker and journalist living in Berlin.

Henrik Moltke is an investigative journalist.

The Enemy Online

In addition to simple port scans, GCHQ also downloads so-called banners and other readily available information (Figure 4). A banner is text sent by some applications when connecting to an associated port; this often indicates system and application information, including version and other information useful when looking for vulnerable services. Doing reconnaissance at the massive scale revealed in the documents demonstrates that the goal is to perform active collection and map vulnerable services ubiquitiously, not to go after specific targets.

By preparing for attacks against services offered via SSH and SNMP, the spy agency targets critical infrastructure such as systems used for network operations. As shown in the past with the penetration of Belgacom and Stellar, when an employee’s computer system or network credentials may be useful, those systems and people are targeted and attacked.
The database resulting from the scans is then shared with other spy agencies of the Five Eyes spying club (Figure 7), which includes the United States, Canada, United Kingdom, Australia and New Zealand. MAILORDER is described in the documents as a secure transport protocol used between the Five Eyes spy agencies to exchange collected data.

Every device a target

The process of scanning entire countries and looking for vulnerable network infrastructure to exploit is consistent with the meta-goal of “Mastering the Internet”, which is also the name of a GCHQ cable-tapping program: these spy agencies try to attack every possible system they can, presumably as it might provide access to further systems. Systems may be attacked simply because they might eventually create a path towards a valuable espionage target, even without actionable information indicating this will ever be the case.

Using this logic, every device is a target for colonization, as each successfully exploited target is theoretically useful as a means to infiltrating another possible target. Port scanning and downloading banners to identify which software is operating on the target system is merely the first step of the attack (Figure 8). Top secret documents from the NSA seen by Heise demonstrate that the involved spy agencies follow the common methodology of online organized crime (Figure 9): reconnaissance (Figure 10) is followed by infection (Figure 11), command and control (Figure 12), and exfiltration (Figure 13). The NSA presentation makes it clear that the agency embraces the mindset of criminals. In the slides, they discuss techniques and then show screenshots of their own tools to support this criminal process (Figure 14, 15 and 16).

Internet Colonization

The NSA is known to be interested in 0-day attacks, which are attacks exploiting largely unknown vulnerabilities for which no patch is available. Once an adversary armed with 0-day attacks has discovered that a vulnerable service is running on a system, defense becomes virtually impossible. Firewalls are unlikely to offer sufficient protection, whether because administrators need remote access or because spy agencies have already infiltrated the local network (siehe: Barton Gellman and Ashkan Soltani. Nsa infiltrates links to yahoo, google data centers worldwide, snowden documents say. The Washington Post, October 2013). Furthermore, adding additional equipment, such as firewalls administered via SNMP, into an internal network may also open up new vulnerabilities.

Figure 8 points to a particular role that HACIENDA plays in the spy club’s infrastructure, namely the expansion of their covert infrastructure. The top secret documents seen by Heise describe the LANDMARK program, a program by the Canadian spy agency CSEC which is used to expand covert infrastructure (Figure 17).

The covert infrastructure includes so-called Operational Relay Boxes (ORBs), which are used to hide the location of the attacker when the Five Eyes launch exploits against targets or steal data (Figure 18). Several times a year, the spy club tries to take control of as many machines as possible, as long as they are abroad. For example, in February 2010 twentyfour spies located over 3000 potential ORBs in a single work day (Figure 19). However, going over the port scan results provided by HACIENDA was considered too laborous (Figure 20), so they programmed their OLYMPIA system to automate the process (Figure 21). As a result, the spies brag that they can now locate vulnerable devices in a subnet in less than five minutes (Figure 22).

The Canadians are not the only ones using HACIENDA to locate machines to compromise and turn into ORBs. At GCHQ, the hunt for ORBs is organized as part of the MUGSHOT program (Figure 23). The GCHQ has also automated the process and claims significant improvements in accuracy due to the automation (Figure 24). Again the information obtained from HACIENDA plays a prominent role (Figure 25). A key point is that with MUGSHOT the GCHQ integrates results from active scans (HACIENDA) as well as passive monitoring (Figure 26), to “understand everything important about all machines on the Internet”.

Thus, system and network administrators now face the threat of industrial espionage, sabotage and human rights violations created by nation-state ad- versaries indiscriminately attacking network infrastructure and breaking into services. Such an adversary needs little reason for an attack beyond gaining access and is supported by a multi-billion dollar budget, immunity from prosecu- tion, and compelled collaboration by companies from Five Eyes countries. As a result, every system or network administrator needs to worry about protecting his system against this unprecedented threat level. In particular, citizens of countries outside of the Five Eyes have, as a result of these programs, greatly reduced security, privacy, integrity and resilience capabilities.

Spy agencies are using their powers to commandeer Internet systems for power projection. Their actions follow the standard template of cyber-criminal behav- ior, using reconnaissance through active and passive port scanning to identify potential victims. Given this serious threat, system administrators need to improve their defensive posture and, in particular, reduce the visibility of non- public services. Patching services does not help against 0-day attacks, and firewalls may not be applicable or suffcient. In the second part of our article, we will introduce another option for system administrators to make non-public system administration services less visible for reconnaissance operations. By standardizing such techniques, the Internet community may be able to dampen the ability of security services to master the Internet.

Knocking down the HACIENDA

In this article, we will describe a new port knocking variant that uses the nation-state adversary model, and thus offers some protections against the HACIENDA program, thereby possibly stopping the spy agencies at the reconnaissance stage.

While defending against undisclosed vulnerabilities in public services is rather difficult, minimizing one’s visible footprint and thus one’s attack surface for administrative services is much easier. Port knocking [9] is a well-known method for making TCP servers less visible on the Internet. The basic idea is to make a TCP server not respond (positively) to a TCP SYN request unless a particular “knock” packet has been received first. This can be helpful for security, as an attacker who cannot establish a TCP connection also cannot really attack the TCP server.

However, traditional port knocking techniques [10] generally do not consider a modern nation-state adversary. Specifically, port scans are not the only method an attacker may use to learn about the existence of a service; if the service is accessed via a network where the adversary is able to sniff the traffic, the adversary may observe the connection and thereby deduce the existence of a service. A nation-state attacker may even be able to observe all traffic from the TCP client and perform man-in-the-middle attacks on traffic originating from the client. In particular, with compromised routers in the infrastructure, it is possible to execute a man-in-the-middle attack to take over a TCP connection just after the initial TCP handshake has been completed. An advanced attacker in control of routers may also try to identify the use of insufficiently stealthy port knocks by detecting unusual patterns in network traffic. However, it may still be safe to assume this adversary does not flag a standard TCP handshake as suspicious, as this is way too common.

TCP Stealth

TCP Stealth is an IETF draft (Julian Kirsch, Christian Grothoff, Jacob Appelbaum, and Holger Kenn: Tcp stealth, August 2014. IETF draft) which describes an easily-deployed and stealthy port knocking variant. TCP Stealth embeds the authorization token in the TCP ISN, and enables applications to add payload protections. As a result, TCP Stealth is hard to detect on the network as the traffic is indistinguishable from an ordinary 3-way TCP handshake, and man-in-the-middle attacks as well as replay attacks are mitigated by the payload protections. TCP Stealth works with IPv4 and IPv6.

TCP Stealth is useful for any service with a user group that is so small that it is practical to share a passphrase with all members. Examples include administrative SSH or FTP access to servers, Tor Bridges, personal POP3/IMAP(S) servers and friend-to-friend Peer-to-Peer overlay networks. The easiest way to use TCP Stealth is with operating system support. TCP Stealth is available for Linux systems using the Knock patch (siehe: Julian Kirsch. Knock, August 2014).. For kernels that include this patch, TCP Stealth support can be added to applications via a simple setsockopt() call, or by pre-loading the libnockify shared library and setting the respective environment variables.

Installation

As the mainline Linux currently does not yet offer support for Knock, the kernel of the machine which should be using Knock needs to be patched. Patching the kernel is straightforward:

1. First, obtain the sources of the desired kernel version from https://www. kernel.org if you intend to use a vanilla running kernel. Note that many distributions make adaptations to the kernel and therefore provide custom kernel sources, so one might want to check for the customized kernel sources.

2. Once the kernel sources are available, download the appropriate Knock patch from https://gnunet.org/knock. Note that if you intend to run a kernel version which is not explicitly listed on the Knock website, the best option is to try out the patches of the closest version provided.

3. Change to the directory where the kernel sources reside (replace the <your-version>-part according to your selection of the kernel- and the patch-version) and apply the patches (you can f ind more information on how to apply and revert patches on the kernel source in the kernel.org archives):

to compile the kernel and all additional modules. Be prepared for the fact that this step can take a long time. If you have a machine with more than one processor core, you can adjust the number of build threads using the -j option to both make commands.

8. If compilation succeeds, install the new kernel and all modules. Afterwards, automatically create a new initramdisk for your newly compiled kernel. If you have sudo installed, enter

~/linux $ sudo make modules_install && sudo make install

otherwise enter the these commands into a root prompt leaving out both sudos.

9. Reboot the machine and instruct your boot manager to boot into the new kernel. You now have a Knock aware machine.

Enabling Knock Using LD PRELOAD

Knock can be used without having to modify the source code of the program. This can be useful in cases where the source code is not available or when inserting the needed libc calls is infeasible (for example due to restrictions imposed by the application logic).

In order to use Knock in existing applications, a dynamic library libknockify is provided. The basic usage of the libknockify shared object to enable Knock for program example program is as follows:

KNOCK_SECRET="shared secret"

KNOCK_INTLEN=42

LD_PRELOAD=./libknockify.so

./example_program

Afterwards, if the application example program communicates via TCP, libknockify will set the respective socket options to enable the use of Knock in the kernel. In the example, the shared secret is derived from the text “shared secret”, and the content integrity protection is limited to the first 42 bytes of payload in the TCP stream. If the KNOCK INTLEN variable is not set, content integrity protection is disabled.

Using TCP Stealth via setsockopt()

Application developers can integrate support for TCP Stealth directly into their code. This has the advantage that it is possible to control which TCP connections have TCP Stealth enabled, and it might further improve usability. To enable basic port knocking with a Knock-enabled kernel, the application only needs to perform a single setsockopt() call after creating the TCP socket:

char secret[64] = "This is my magic ID.";

setsockopt (sock, TCP_STEALTH, secret, sizeof (secret));

For content integrity protection, TCP clients need to additionally specify the first bytes of the payload that will be transmitted in a second setsockopt() call before invoking connect():

Limitations

Nowadays, most end-user devices access the Internet from behind a gateway router which performs network address translation (NAT). While TCP Stealth was designed to avoid the use of information that is commonly altered by NAT devices, some NAT devices modify TCP timestamps and ISNs and may thus interfere with the port knocking mechanism.

Table 1 summarizes experiments by Honda et al. showing how common ISN modification by NAT devices is in practice. In terms of security, TCP Stealth is limited to the 32 bits of the TCP ISN field; hence, a persistent adversary may still succeed by luck or brute force. However, we believe that TCP Stealth will provide adequate protections against indiscriminate attackers performing untargeted attacks (such as HACIENDA). Moving administrative services to non-standard ports can further decrease the chance of accidental discovery by active port scanners.

While the use of integrity protection with TCP Stealth is technically optional, port knocking without integrity protections offers little security against an adversary that observes network traffic and hijacks connections after the initial TCP handshake. Thus, future network protocols should be designed to exchange key material at the beginning of the first TCP packet. Sadly, this is not the case for SSH, which instead exposes a banner with version information to an attacker well before the cryptographic handshake. Hence, design flaws in the SSH protocol currently require the use of an additional obfuscation patch [2] to effectively use TCP Stealth integrity protections with SSH.

Summary

Technical solutions such as TCP Stealth are one way for administrators to harden their systems by protecting internal TCP services against the attacks by criminals, be they private, commercially motivated or state parties. However, as Linus Neumann of the CCC recently stated in an OpEd for Heise, it may not be possible to win the race in the long run solely through technical means. Without the necessary political will to legally protect, promote and fund secure communication systems, this one-sided battle will continue | and users will lose. Neumann underlined that secure communication systems were possible, but that governments are much more concerned about loss of control than about hardened (and less controllable) networks. Much more political work lays ahead; however, operating system vendors and administrators can improve the situation today by deploying modern security solutions.

Like this:

A restricted document from U.S. Strategic Command provides insight into the underlying philosophy of military efforts to wage cyber warfare.

At the 39th Joint Doctrine Planning Conference, a semiannual meeting on topics related to military doctrine and planning held in May 2007, a contractor for Booz Allan Hamilton named Paul Schuh gave a short presentation discussing doctrinal issues related to “cyberspace” and the military’s increasing effort to define its operations involving computer networks. Schuh, who would later become chief of the Doctrine Branch at U.S. Cyber Command, argued that military terminology related to cyberspace operations was inadequate and failed to address the expansive nature of cyberspace. According to Schuh, the existing definition of cyberspace as “the notional environment in which digitized information is communicated over computer networks” was imprecise. Instead, he proposed that cyberspace be defined as “a domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures.”

Amid the disagreements about “notional environments” and “operational domains,” Schuh informed the conference that “experience gleaned from recent cyberspace operations” had revealed “the necessity for development of a lexicon to accommodate cyberspace operations, cyber warfare and various related terms” such as “weapons consequence” or “target vulnerability.” The lexicon needed to explain how the “‘four D’s (deny, degrade, disrupt, destroy)” and other core terms in military terminology could be applied to cyber weapons. The document that would later be produced to fill this void is The Cyber Warfare Lexicon, a relatively short compendium designed to “consolidate the core terminology of cyberspace operations.” Produced by the U.S. Strategic Command’s Joint Functional Command Component – Network Warfare, a predecessor to the current U.S. Cyber Command, the lexicon documents early attempts by the U.S. military to define its own cyber operations and place them within the larger context of traditional warfighting. A version of the lexicon from January 2009 obtained by Public Intelligence includes a complete listing of terms related to the process of creating, classifying and analyzing the effects of cyber weapons. An attachment to the lexicon includes a series of discussions on the evolution of military commanders’ conceptual understanding of cyber warfare and its accompanying terminology, attempting to align the actions of software with the outcomes of traditional weaponry.

Defining Cyber Warfare

One of the primary reasons for creating a lexicon devoted to cyber warfare is that there are “significant underlying differences” between traditional military operations and so-called “non-traditional weapons” such as those employed in cyber warfare. The lexicon was intended to reduce these differences by integrating and standardizing the “use of these non-traditional weapons” while providing “developers, testers, planners, targeteers, decision-makers, and battlefield operators . . . a comprehensive but flexible cyber lexicon that accounts for the unique aspects of cyber warfare while minimizing the requirement to learn new terms for each new technology of the future.” Described as a Language to Support the Development, Testing, Planning, and Employment of Cyber Weapons and Other Modern Warfare Capabilities, the lexicon is designed to facilitate the construction and employment of cyber weapons:

The cyber warfare community needs a precise language that both meets their unique requirements and allows them to interoperate in a world historically dominated by kinetic warfare. Mission planners must be able to discuss cyber weapons with their commanders, the intelligence analysts, the targeteers, and the operators, using terms that will be understood not just because they have been defined somewhere in doctrine, but also because they make sense. Giving the weapons planners a well-founded lexicon enables them to have far-reaching discussions about all manner of weapons and make important decisions with a significantly reduced likelihood of misunderstanding and operational error.

To understand what exactly constitutes a cyber weapon and what makes it so different from the kind of weapons employed in traditional warfare, it is important to understand the objectives of cyber warfare. Cyber warfare is defined in the lexicon as the creation of “effects in and through cyberspace in support of a combatant commander’s military objectives, to ensure friendly forces freedom of action in cyberspace while denying adversaries these same freedoms.” This can be accomplished through cyber attacks, cyber defense as well as cyber exploitation, with each option providing its own unique set of associated capabilities and potential outcomes. Cyber attacks bare the greatest resemblance to popular notions of cyber war, incorporating actions to “deny or manipulate information and/or infrastructure in cyberspace” through methods like a computer network attack (CNA) that are intended to “disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves.” Cyber defense is primarily focused on defending U.S. military networks from similar attacks conducted by other nations or non-state actors and protecting the integrity of the Department of Defense’s Global Information Grid (GIG) which carries military communications worldwide. Cyber exploitation is focused primarily on the collection of intelligence and other useful data from targeted computer systems to enable improved “threat recognition” that can contribute to future operations in cyberspace.

These components of cyber warfare rely on capabilities that are used to construct cyber weapon systems. A cyber warfare capability is a “device, computer program or technique” that includes any combination of “software, firmware, and hardware” that is “designed to create an effect in cyberspace, but has not been weaponized.” Weaponization is a process that takes these capabilities and implements “control methods, test and evaluation, safeguards, security classification guidance, interface/delivery method” and other tactical considerations to ensure that the capability can be properly employed to produce the intended effect. A completed cyber weapon system is a combination of one or more of these capabilities that have been weaponized and are ready for deployment. These weapons can then be categorized based upon specific uses and issues related to their employment, such as who is authorized to use them. One suggested schema in the lexicon provides three categories: the first for weapons that require approval from the combatant commander, a second for weapons that are pre-approved for specific uses and a third that requires the approval of the President or Secretary of Defense before the weapon can be utilized.

One of the “Discussions on Cyberspace Operations” contained in the lexicon follows the military’s historical apprehension toward describing software programs and other cyber capabilities as weapons. Throughout the early 1990s, the term “tool” was widely favored in the initial phases of the military’s cyber warfare mission. One reason for this reluctance was military commanders’ concerns about the lack of authority under Title 10 for conducting cyber operations. However, given that there are six “Joint functions” recognized in military doctrine “C2 [command and control], Intel, Fires, Maneuver, Protection and Sustainment,” the use of any offensive cyber capabilities “unquestionably” is a form of fires, making the cyber capability itself a kind of weapon. The idea that software and computer hardware could be considered a weapon is further complicated by the fact that many offensive cyber capabilities consist of nothing more than “cyber techniques” that involve “keystrokes, but where no hardware or software is introduced into the target system.” When “last minute changes in the target render the approved weapon inert, an operator might need to use cyber techniques to complete an assigned mission, particularly one that has been approved for effect or objective,” making the certification process and training of the “operator” critical to considering cyber capabilities as a “weapon system.” There must be control methods, testing and evaluation, safeguards, certified personnel, mission logs, a concept of operations as well as tactics, techniques and procedures on how to employ the weapon system. This is similar to the situation with conventional weapons as “the very first M-16 rifle ever made, while a ‘weapon’ in the dictionary sense of the word, was not deployed until it was operationally tested, had a training program, spare parts inventory, etc.” It was only after this process that “each new M-16 was part of a ‘weapon system’ and could be crated and shipped to the front lines directly from the assembly line.”

Cyber Weapons and Their Effects

A fundamental distinction discussed in the lexicon, one which separates cyber weapons from those used in conventional warfare, is the distinction between kinetic and non-kinetic weaponry. Kinetic weapons are those that “use forces of dynamic motion and/or energy upon material bodies” whereas non-kinetic weapons are those that “create their effects based upon the laws of logic or principles other than the laws of physics.” Within each of these broad categories, there are further distinctions based upon the lethality of the weapon being described. For example, a Mark-84 bomb is an example of a lethal kinetic weapon capable of inflicting physical damage to material entities based upon the use of motion and force. The Active Denial System, a directed-energy weapon which uses millimeter waves to create a sensation of heat on the skin of human targets, is an example of a non-lethal kinetic weapon. As a non-kinetic weapon creates its effect through the use of logic or other principles, the category necessarily encompasses a much wider array of weapon systems from diverse fields like information warfare and psychological operations. Biological and chemical weapons are examples of lethal non-kinetic weapons that rely upon biological factors rather than physical force to create their effect. Computer network attack (CNA) software, on the other hand, is an example of a non-lethal non-kinetic weapon, creating an effect based solely on the logical operations it performs on a targeted computer system.

While cyber weapons are considered to be non-lethal in their effects, this doesn’t mean that non-lethal weapons are “required to have zero probability of causing fatalities, permanent injuries, or destruction.” To better understand the effects that non-lethal non-kinetic weapons can have, the lexicon attempts to align cyber weapons with the traditional terminology of the “Four D’s” used throughout the information operations community: deny, destroy, degrade and disrupt. One discussion in the lexicon introduces a construct to understand these effects in terms of a scope, level and time of “denial” in a targeted system, causing “reduction, restriction, or refusal of target operations.” Using this framework, “degrade, disrupt, and destroy” would all be considered different forms of denial that have varying scopes. Disrupt introduces a “time aspect of denial” and degrade adds an “amount or level of denial.” The final term “destroy” is saved for the “special case that includes the maximum time and maximum amount of denial.” The lexicon even proposes a function for calculating denial:

Quantitatively, denial (D) can be expressed as a function of scope (s), level (l), and time (t), i.e. D(s,l,t). Defining effects in this manner makes it clear to the planning staff that each of the parameters of the function must be considered and specified as necessary as indicated by, or derived from, commander’s objective. As the level (l) or amount approaches 100% and time (t) approaches infinity, destruction is achieved.

The true effects of a cyber weapon often differ significantly from simply denying or even destroying an enemy system. Every weapon “takes an action” when it is triggered and this action is “intended to have an effect.” For a traditional bomb, that action is a “kinetic explosion and the effect is normally target damage,” whereas a cyber weapon may result in “the execution of some software and the effects, some form of denial or manipulation.” However, weapons also have “outcomes that are not expected and are not required to achieve the objective.” The lexicon describes these as indirect effects that can result in consequences for unintended targets. When these consequences affect unlawful targets or cause “damage to persons or objects that would not be lawful military targets,” they are considered “collateral effects” that are similar to the traditional notion of collateral damage.

Vulnerabilities and Target States

Past worries about collateral damage from cyber weapons have proven to be well founded. In the summer of 2010, copies of an unknown computer worm began replicating throughout the internet using a vulnerability in Microsoft Windows to find its way into the control systems of major corporations like Chevron. However, the malicious program was not the work of Chinese hackers or sophisticated cyber criminals, it was a cyber weapon called Stuxnet created as part of a joint U.S. and Israeli intelligence operation targeting Iran’s nuclear program that was codenamed “Olympic Games.” Stuxnet would later claim other unintended targets, including a Russian nuclear power plant. Unintended effects associated with cyber weapons are dangerous for a number of reasons, including the risk that an adversary might be able to use the weapon, once discovered, against the originator of the attack. According to the lexicon, these vulnerabilities of cyber weapons can be separated into six distinct categories:

(U//FOUO) Detectability risk – The risk that a weapon will be unable to elude discovery or suspicion of its existence. This includes the adverse illumination risk of hardware weapons.

(U//FOUO) Attribution risk – The risk that the discoverer of a weapon or weapon data will be able to identify the source and/or originator of the attack or the source of the weapon used in the attack.

(U//FOUO) Co-optability risk – The risk that, once discovered, the weapon or its fires will be able to be recruited, used, or reused without authorization.

(U//FOUO) Security Vulnerability risk – The risk that, once discovered, an unauthorized user could uncover a security vulnerability in the weapon that allows access to resources of the weapon or its launch platform. This includes the risk of an adversary establishing covert channels over a weapon’s C2 link.

(U//FOUO) Misuse risk – The risk that the weapon can be configured such that an authorized user could unintentionally use it improperly, insecurely, unsafely, etc.

(U//FOUO) Policy, Law, & Regulation (PLR) risk – The risk that the weapon can be configured such that an authorized user could intentionally use it in violation of existing policy, laws, and regulations.

These vulnerabilities are “mostly unfamiliar to the kinetic weapons community, and are due to the complexity of the weapons, the dynamic nature of the ‘atmosphere’ of cyberspace, and the difficulty of gathering detailed intelligence about cyber targets.” A discussion on cyber weapon vulnerabilities in the lexicon argues that “the crowded nature of cyberspace and the proliferation of anonymizing technologies can work to both our advantage and disadvantage, in that attribution can be very difficult for both our adversaries and ourselves.” Once a network target has been “accessed and subverted,” the implanted cyber weapon should be “considered like a mine or an improvised explosive device (lED) where there are no longer any delivery considerations for the weapon, but only survivability and transferring of commands and updates.”

In several portions of the lexicon, attacking unaffiliated infrastructure that happens to be used by an adversary is discussed as a viable means of creating a “second order” effect on the target. For example, if “privileged access in not possible, we may still be able to create our desired effect in the first order by using public access to the target” such as “a distributed denial of service (DDOS) that floods a port on the target.” When the intended target “cannot be directly accessed via either public or privileged means, the desired effect can still be achieved by targeting an intermediating link or node so that the desired effect cascades from the first order effect.” An example of this is “conducting a DDOS attack on a critical link” leading to the target or “degradation through packet flooding” by assuming the “maximum data bus speed and a maximum input/output processor throughput on the target.” A ping flood attack can be “directed at a single IP address or broadcast to a whole Class B IP domain with thousands of recipients.”

The effectiveness of a cyber weapon corresponds to its ability to place a target into a particular state of operation. The target state “corresponds to the condition of the target with respect to a military objective” such as creating a root shell for privileged access. A typical cyberspace target state can typically be considered to operate in one of the following “five states relative to achieving a commander’s primary objective”:

Unconfirmed: Unknown if there is an access path to target.

Confirmed/Nominal: Access path to target established.

Unprivileged access: Unprivileged access to target established.

Privileged access/At risk: Privileged access to target established.

Goal/Other condition: Target has been placed in the desired or other intermediate condition.

Using a real world example, the lexicon asks us to “consider the use of a ‘buffer overflow’ capability to achieve ‘root’ level (privileged) access on a computer operating system in order to disable an adversary’s computer program.” The use of a “buffer overflow creates an initial effect (access to unauthorized portion of memory) and, by including in the buffer overflow capability other carefully crafted code, it can also enable another effect (e.g. gaining root access) and place the target in a different state.” Whereas the previous state of the target was “nominal,” the new state of the target is “compromised.” If the system administrator has implemented “a mechanism to log and report all creations of a root shell,” the outcome can still create unintended consequences because the cyber weapon could be detected and then be susceptible to attribution or manipulation. With certain types of cyber weapons this sort of discovery or attribution could present serious problems, though with others it may prove to be of little use to the weapon’s discoverer. As cyber weapons only “deliver information or some other information-related effect to the target and not high explosive or high energy,” they can be used “as long as we have electrical power.”

Document

Pages

Text

Zoom

p. 1

p. 2

p. 3

«

Page1of 45

»

U.S. Strategic Command Cyber Warfare Lexicon

Select a term from the following list to read the full definition. All definitions are taken from U.S. Strategic Command (USSTRATCOM) Cyber Warfare Lexicon Version 1.7.6.

(U//FOUO) cyberspace: a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. (from 12 May 2008 SECDEF memo)

[(U//FOUO) Previous version – cyberspace: A domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures. (from NMS-CO)]

(U//FOUO) cyberspace operations (CO): All activities conducted in and through cyberspace in support of the military, intelligence, and business operations of the Department. (based on NMS-CO description)

(U//FOUO) cyberspace operations (CO): The employment of cyber capabilities where the primary purpose is to achieve military objectives or effects in or through cyberspace. Such operations include computer network operations and activities to operate and defend the global information grid. (from 29 Sep 2008 VJCS Memo, however it is inconsistent with NMS-CO and improperly limited)

(U//FOUO) cyber warfare (CW): Creation of effects in and through cyberspace in support of a combatant commander’s military objectives, to ensure friendly forces freedom of action in cyberspace while denying adversaries these same freedoms. Composed of cyber attack (CA), cyber defense (CD), and cyber exploitation (CE).

(U//FOUO) cyber warfare capability: A capability (e.g. device, computer program, or technique), including any combination of software, firmware, and hardware, designed to create an effect in cyberspace, but that has not been weaponized. Not all cyber capabilities are weapons or potential weapons.

(U//FOUO) cyber weapon characterization: The process of determining and documenting the effect producing mechanisms and assurance factors of cyber weapons. Characterization includes aspects of technical assurance evaluation, OT&E, risk/protection assessments, and other screening processes. Answers the question: “What do I need to know about this weapon before I can use it?” [Note: Cyber Weapon Characterization is one step in the Cyber Weaponization process.]

(U//FOUO) cyber weapon categorization: A binning of cyber weapon capabilities into categories, based on risk assessment and the release authority required for their use. Useful for answering the question: “Who can authorize use of this weapon?” Example categories might be:

(U//FOUO) cyber weapon vulnerability: An exploitable weakness inherent in the design of a cyber weapon. Weaknesses are often in one of the following risk areas:

detectability risk – The risk that a weapon will be unable to elude discovery or suspicion of its existence. This includes the adverse illumination risk of hardware weapons.

attribution risk – The risk that the discoverer of a weapon or its effect will be able to identify the source and/or originator of the attack or the source of the weapon used in the attack.

co-optability risk – The risk that, once discovered, the weapon or its fires will be able to be recruited, used, or reused without authorization.

security vulnerability risk – The risk that, once discovered, an unauthorized user could uncover a security vulnerability in the weapon that allows access to resources of the weapon or its launch platform. This includes the risk of an adversary establishing covert channels over a weapon’s C2 link.

misuse risk – The risk that the weapon can be configured such that an authorized user could unintentionally use it improperly, insecurely, unsafely, etc.

policy, law, & regulation (PLR) risk – The risk that the weapon could be configured such that an authorized user could intentionally use it in violation of existing policy, laws, and regulations.

(U) deny: To attack by degrading, disrupting, or destroying access to or operation of a targeted function by a specified level for a specified time. Denial is concerned with preventing adversary use of resources.

degrade(U) degrade: (a function of amount) To deny access to or operation of a targeted function to a level represented as a percentage of capacity. Desired level of degradation is normally specified.

disrupt(U) disrupt: (a function of time) To completely but temporarily deny access to or operation of a targeted function for a period represented as a function of time. Disruption can be considered a special case of degradation where the degradation level selected is 100%.

destroy(U) destroy: To permanently, completely, and irreparably deny access to, or operation of, a target. Destruction is the denial effect where time and level are both maximized.

(U) effects assessment (EA): The timely and accurate evaluation of effects resulting from the application of lethal or non-lethal force against a military objective. Effect assessment can be applied to the employment of all types of weapon systems (air, ground, naval, special forces, and cyber weapon systems) throughout the range of military operations. Effects assessment is primarily an intelligence responsibility with required inputs and coordination from the operators. Effects assessment is composed of physical effect assessment, functional effect assessment, and target system assessment. Note: Battle Damage Assessment (BDA) is a specific type of effects assessment for damage effects. ” (This is a direct adaptation from the JP 1-02 definition of BDA.)

(U//FOUO) intended cyber effect: A sorting of cyber capabilities into broad operational categories based on the outcomes they were designed to create. These categories are used to guide capability selection decisions. Answers the question: “What kind of capability is this?” Specifically:

(U) kinetic: Of or pertaining to a weapon that uses, or effects created by, forces of dynamic motion and/ or energy upon material bodies. Includes traditional explosive weapons/ effects as well as capabilities that can create kinetic RF effects, such as continuous wave jammers, lasers, directed energy, and pulsed RF weapons.

(U) non-lethal: Of or pertaining to a weapon or effect not intended to cause death or permanent injuries to personnel. Nonlethal effects may be reversible and are not required to have zero probability of causing fatalities, permanent injuries, or destruction of property.

(U//FOUO) manipulate: To attack by controlling or changing a target’s functions in a manner that supports the commander’s objectives; includes deception, decoying, conditioning, spoofing, falsification, etc. Manipulation is concerned with using an adversary’s resources for friendly purposes and is distinct from influence operations (e.g. PSYOP, etc.).

(U) misfire: The failure of a weapon to take its designed action; failure of a primer, propelling charge, transmitter, emitter, computer software, or other munitions component to properly function, wholly or in part. (Note: adapted directly from JP 1-02 of misfire.)

(U) weapon action: The effect-producing mechanisms or functions initiated by a weapon when triggered. The weapon actions of a kinetic weapon are blast, heat, fragmentation, etc. The weapon actions of a cyber attack weapon might be writing to a memory register or transmission of a radio frequency (RF) waveform.

(U) weapon effect: A direct or indirect objective (intended) outcome of a weapon action. In warfare, the actions of a weapon are intended to create effects, typically against the functional capabilities of a material target or to the behavior of individuals. Effect-based tasking is specified by a specific target scope, desired effect level, and start time and duration.

direct effectdirect effect: An outcome that is created directly by the weapon’s action. Also known as a first order effect.

indirect effectindirect effect: An outcome that cascades from one or more direct effects or other indirect effects of the weapon’s action. Also known as second, third, Nth order effects, etc.